Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

A guide to monetizing risks for security spending decisions

Curt Dalton | April 7, 2015
Security executives routinely have to make tough decisions about which risks to mitigate, which to avoid or transfer and which to accept. Your security budget has its limits. You have a finite amount of cash to spend on people and technologies to keep your business' risk to an acceptable level, so you have to make your decisions wisely.

Let's say your organization has 2K people who require your ERP application to be up and running to do their daily jobs. If an exploit resulted in your ERP application being unavailable for two business days and the average employee represents $500/day of revenue to your business, the lost revenue impact would be $2M. When we add these two impact valuations together we end up with a total impact of $5.76M. We can now plug these values into our risk monetization formula.

Therefore in our example, the monetized risk of a data breach within your ERP application is a little more than $1.5M. What is intentionally not included in the above calculation is the cost attributed to breached intellectual property or potential damage to your brand name if a breach is publicized. These are data points you will also have to consider, since they are as unique as your business.

The next question is, when considering the risks that could impact your most critical assets, which will you choose to address and how will you address them?

Risk decision making

Now that you've monetized your key risks, prioritizing them should be more straightforward than perhaps it ever was. You can opt to order them by highest monetized value first, or intersperse with those of lower impact. Whatever your approach, be mindful that when making risk decisions, compliance is a cost of doing business. So while risk monetization results won't necessarily indicate whether or not to mitigate a compliance-based risk, there still is an important benefit since you will have a better understanding of cost of compliance.

Identifying when to mitigate, and when to manage, transfer, or avoid a risk is the most difficult decision and, frankly, the one that could either make you a superstar in the office or drive you to polish up your resume. You will need to have a very good idea of your organization's risk appetite (willingness or not to live with more or less risk). As a guide, a variation on Pareto's principal (also known as the 80/20 rule) seems to be an uncanny fit (fig. 6).

By applying the above 80/20 rule to risk decision-making, you are stating that you require a 4:1 ratio of benefit-to-cost. You can adjust this benefit-to-cost ratio according to your organization's particular risk appetite. After applying this thinking, you will be able to show executive management that your decisions follow a logical, methodical and consistent thought process. As a result, recommendations will be better rooted in the business' objectives.

When we plug our ERP example into a cost benefit analysis formula (fig. 7), the monetized risk valuation ($1,552,320) is substituted for Cr and (.25) is substituted for Cmr since a 4:1 benefit-to-cost ratio implies our mitigation cost should be 1/4th the cost of the monetized risk. Then in solving for Cm, we end up with a good mitigation cost guideline to address this risk.

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.